Tell Verizon to bring back FTP [telecom]

Instead of bringing back FTP, maybe they should offer SFTP. That should eliminate their security woes, and any web page builder should be able to find an SFTP client that's easy to use.

The problem is that most web-design programs made before 2000 are only coded for ftp, and turning off ftp is an effective way to force users to use the brain-dead preformated sites and tools. Why an ISP would want to do that is anyone's guess.

Bill

Bill Horne wrote: :On Thu, May 16, 2013 at 06:52:00PM -0400, Matt Simpson wrote: :> In article , :> Bill Horne wrote: :> :> > I know that ftp isn't secure, but anyone who has struggled through :> > getting Dreamweaver to create a web page, and then found themselves :> > unable to upload it, will understand why I think this is worth :> > publishing. :> :> Instead of bringing back FTP, maybe they should offer SFTP. That should :> eliminate their security woes, and any web page builder should be able :> to find an SFTP client that's easy to use.

:The problem is that most web-design programs made before 2000 are only :coded for ftp, and turning off ftp is an effective way to force users

It's 2013. Inability to use a secure file transfer program isn't really a good reason to support insecurity, and neither is suporting seriously obsolete web design tools.

:to use the brain-dead preformated sites and tools. Why an ISP would :want to do that is anyone's guess.

Lower support costs, or they want to kill the service entirely.

My son drives a 1997 Buick. It's "obsolete" by your logic. It's also capable of going 65 on the Interstate, gets about-the-same-mileage as any other car, and moves him from home to job in a reliable manner. Plus, the roof doesn't leak (I've owner cars where the roof /did/ leak), and all the ergs that /might/ be saved by him purchasing some newer, shinier model were amortized years ago.

"Obsolete" is in the eye of the owner: if it gets the job done, it's not obsolete, by definition. I've had customer who ran DOS-based accounting software in 2006. It's what their staff was trained on, and it got the job done, so they used it.

Dreamweaver and similar programs are very expensive: they are professional-grade web design tools, but cost the better part of a thousand dollars to put in service. Small design shops that are watching every penny sometimes choose to make do with older releases: That's /their/ choice, not mine.

"Security" is relative: given that the material is, by its nature, intended for public distribution, I don't see why keeping it "secure" would be important. If you're referring to the ftp software itself being insecure, I disagree: some /extensions/ have been problematic, but the basic functions are no more "insecure" than http. /Any/ software needs maintenance: security and bug fixes are the bread and butter of the sysadmin's day, and ftp daemons are no exception.

They don't want to kill the service entirely: they just want to hobble its users to the point where they go to commercial sites in disgust. That's a win-win for the ISP: they get to claim that they include "free" websites with their monthly fee, but charge extra for webspace that's actually usable.

Bill, who is a Verizon DSL customer and therefore entitled to complain about it.

The security issue is that FTP passes your ID and password in the clear where it is more subject to snooping by bad guys who use it to upload malware droppers to your web site (which they do.)

I agree that the chances of traffic being sniffed on the way from your home broadband to VZ are pretty low, but people update their web sites from coffee shop wifi which is notoriously sniffable.

If you want to keep using antiqueware, run a local FTP server on your own PC, FTP the files to that, and use https or sftp or something more modern to move them to your host.

Verizon can afford appropriate anti-malware measures.

If that were the problem, Verizon could require that uploads only come from IP addresses that are assigned to the web site(s) in question, or could demand that customers use separate passwords for ftp: it could ask users to download a one-time upload key and use that instead of their regular account password. The company could also require a pre-authorization call from the phone number associated with the account, or even charge a fee for uploads, thus leveraging the security systems dedicated to preventing credit-card fraud.

That's the issue in a nutshell: AFAIK, Verizon doesn't offer /any/ upload method, no matter how secure it might be. The company demands that all web mods be done via a brain-dead, text only interface. (1)

I think Mr. Scheidt is correct: Verizon wants to kill the service. I think I was right, too: Verizon doesn't want to give up whatever advertising value it gets by /claiming/ to offer websites.

Bill

1. If anyone has a method to upload files to a "free" web server associated with Verizon ADSL, I'd like to know it.

That's why many web designers use FileZilla (a SourceForge project attuned to many operating systems) to transfer their files securely -- FileZilla supports natively three different variations on a secure FTP(*) -- it suffices to point the local panel in the FileZilla UI to the local directory holding what your web-design programs produced, and the remote panel to the remote directory you want to transfer those files to, and then to drag'n'drop the files needing FTP-age.

HTH. Cheers, -- tlvp

(*) SFTP -- SSH File Transfer Protocol; FTPS -- FTP over implicit TLS/SSL; and FTPES -- FTP over explicit TLS/SSL (using FileZilla's descriptions)

That was certainly the motive of at&t WorldNet -- first they discouraged FTP except on the part of folks dialed in to their own dial-up-modem pools, though they had earlier allowed FTPES through DSL; later they dropped their Personal Web Page offering entirely (with about 6 weeks' notice, at that).

Remember: forewarned is fore-armed. Cheers, -- tlvp

I hate arguing with an overwhelmingly friendly and knowledgable sysadmin/moderator, but let me nonetheless point out that:

1) precisely because the web matter to be FTPed is intended for public distribution, it's vital that no malicious malefactor be in a position to tamper with the files -- not before they're in place, as might occur with an insecure http-based transfer process; nor after they're in place, as might happen with an insecure FTP ritual if an interloper could sniff your web-host AUTH data from your FTP session, thereafter to log in as you and replace stuff willy-nilly; 2) just as http is insecure (as compared with https), and there are insecure and secure variations of the POP3 and IMAP and SMTP mail protocols (and the NNTP net news transfer protocol), so one wants to be using a secure version of FTP as urgently as one wants https for inline banking; and 3) FileZilla itself keeps itself maintained with fresh security patches and bug fixes, as must all working software.

Apologies if my best intentions came off as carping or trolling -- not what I had in mind at all. Cheers, -- tlvp

Seems to me the problem is doing mission critical work (like updating a web site or conducting commerce) from seriously "sniffable" locations, like coffee shops and the like.

As to FTP in general, I agree with Mr. Horne's comments, and do not agree with Mr. Scheidt about obsolescence. As Mr. Horne pointed out, frequent upgrading to stay "modern" is a cost in time, software, and hardware that not everybody has.

Historically, in the mainframe world, great efforts were made to maintain backward compatibility for _decades_ in order to protect the software investments of the customers and end users. That also applied in the telecom world and broadcast world.

Many companies are discovering that rewriting their legacy "green-on- glass" mainframe systems into something modern is extremely costly and disruptive to the organization.

My suspicion is NOT that they want to eliminate FTP or SFTP or any other such thing, but the purpose they are doing this is specifically to prevent customers from providing their own code.

If they lock customers into using their own code generator, they have a lot more control over their own security.

And, let's face it, this is not a high end hosting facility. If you want to put up a real website, you probably want to get a real web provider. And Verizon probably does not want you as a customer for their bundled web server service anyway.

--scott

I don't think Verizon cares about "Security" in the sense of wanting to prevent bad code. I think the company wants to eliminate web service in all but name; to be able to /claim/ that it offers "Personal Web Pages", without having to support them or risk embarassment by having any user employ one as a virus source.

Verizon has already eliminated some web page offerings: if my experience trying to access "my" pwp is any guide, they've already killed those associated with ADSL. I'll confirm that tomorrow, but if anyone has a seen a change in the TOS that said this would happen, please phone it in.

Most small companies have static content: basic information and contacts, and maybe even a list of products, but no shopping cart or other active pages. A "personal" page works fine for that kind of thing, and it doesn't take a lot of computer muscle to deliver static files: it's what /every/ web server starts off doing, after all.

The question, then, is "Why"? It's unlikely that any major new players will emerge from basements or garages or dorm rooms, but even the next Larry Page or Sergei Brin or whomever can afford commercial web space, since the dot-bomb left so much capacity lying unused. So, why does Verizon seek, AFAICT, to neglect its web service until it's only available in theory?

Bill

You're a decade out of date, Bill. The world doesn't work like that any more, not for a long time. *Any* new Web service today is going to start at a virtualization provider like Amazon or Rackspace, not on the spare server in the back room -- and this includes the ones founded in basements, garages, and dorm rooms. There is simply no sense to tying up capital in any sort of physical infrastructure until your business is big enough that you're building your own data centers. (And frankly, even if you're a hotshot Web developer, server operations is highly unlikely to be in your core competencies anyway; better to leave that to someone else.)

-GAWollman

The /question/ is, *why* is Verizon sabotaging its own web offering?

It's Verizon. Because they can.

"We don't care. We don't have to. We wouldn't even know how."

HTH, HAND,

PS: They've probably noticed that the cable providers they compete with don't provide any web hosting at all on consumer accounts.

They aren't sabotaging it. They're doing something that is going to get rid of the higher volume customers that they don't want.

It's not a "web offering." It's not a revenue source, it's a revenue sink. It's a free bonus offered in with cheap consumer accounts. Verizon wants to spend as little money as possible running it and have as few customers as possible actually using it.

--scott

Well, that's certainly the simplest explanation, and Occam's Razor would yield that result - if it fit all the facts. However, given the "because they can" reason, I'd expect them to just turn the web servers off.

But, it doesn't make sense to me. I'm the last guy in the world to defend Ma Bell, but ISTM that /someone/ has to benefit from what they're doing, and I don't see the logic.

Bill

Similar to ISPs shutting down all their NNTP Usenet servers -- it's been happening for awhile now and it's continuing.

Duke University, where Usenet began, shut down their server(s) on May 20, 2010, three years ago to the day:

Inexpensive web hosting is readily available for dirt cheap. I've directed many friends, colleagues and associates to the provider I have been using since mid-1995 and they provide today a FreeBSD virtual system with full shell access, Apache, WordPress, qmail, spamassassin, Dovecot IMAP, etc. all bundled in together for just $9.95/month. The account I have has been grandfathered and no longer available for new customers -- it gives me backup hard drives and a lot of other services for just $25/month and I've over 200GB online (most of it private). Uptime is the proverbial 99.999% as you can see (since the last OS update):

thadlabs bash 78070/78072> date Mon May 20 14:06:02 PDT 2013 thadlabs bash 78070/78072> uptime 2:06PM up 579 days, 11:23, 5 users, load averages: 0.00, 0.00, 0.00 thadlabs bash 78070/78072> uname -sn FreeBSD thadlabs.com

For those unaware, Dovecot is one of only three 100% IMAP conforming servers as you can read here:

Thad

Ah, but have they noticed that those cable providers are providing *static* IPs, so that their subscribers can register a domain with any registrar and then host their very own servers from their very own basements?

No static IP from DSL providers except at extra cost AFAIK. Cheers, -- tlvp